Summary: SELinux is preventing /usr/bin/xargs access to a leaked file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the xargs command. It looks like this is either a leaked descriptor or xargs output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the . You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:afs_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects [ file ] Source xargs Source Path /usr/bin/xargs Port <Unknown> Host (removed) Source RPM Packages findutils-4.4.2-6.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-106.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux pc35.ecg.mit.edu 2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 01 Apr 2010 05:01:02 PM EDT Last Seen Thu 01 Apr 2010 05:01:02 PM EDT Local ID a7828dd8-a5d6-4f15-b920-0a3f75ef7459 Line Numbers Raw Audit Messages node=pc35.ecg.mit.edu type=AVC msg=audit(1270155662.189:283): avc: denied { read write open } for pid=604 comm="xargs" name="" dev=dm-0 ino=36732852 scontext=system_u:system_r:afs_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file node=pc35.ecg.mit.edu type=SYSCALL msg=audit(1270155662.189:283): arch=c000003e syscall=59 success=no exit=-2 a0=7fff748eda7c a1=8f6070 a2=7fff748edd60 a3=75632f7477672f74 items=0 ppid=12151 pid=604 auid=768 uid=768 gid=1002 euid=768 suid=768 fsuid=768 egid=1002 sgid=1002 fsgid=1002 tty=pts7 ses=1 comm="xargs" exe="/usr/bin/xargs" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,xargs,afs_t,unlabeled_t,file,read,write,open audit2allow suggests: #============= afs_t ============== #!!!! The source type 'afs_t' can write to a 'file' of the following types: # etc_runtime_t, afs_cache_t, proc_afs_t, root_t allow afs_t unlabeled_t:file { read write open };
Miroslav, F13 has ifdef(`hide_broken_symptoms', ` kernel_rw_unlabeled_files(afs_t) ') Since afs is not a maintained part of the kernel, this is a kernel bug, but we have no one that works on AFS. Best to cover it up with policy for now.
Daniel could you report this as a bug to the AFS kernel people.
I just added dhowells who does some afs work. dwalsh can you explain what is supposed to be running in the afs_t domain? Maybe that will help us figure out where this xargs is being called and help us find the unlabeled inode. Note that finished setup of the inode is usually done in d_instantiate, so the AFS code might be not calling d_instantiate somewhere it should?
Fixed in selinux-policy-3.6.32-109.fc12
/usr/sbin/afsd runs as afs_t, This is the afs client process, used to setup the kernel to use afs, I believe. /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) /usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0) /usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) /usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) /usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0) These are the server side labels.
selinux-policy-3.6.32-110.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12
selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12
selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.